8 comments

[ 4.8 ms ] story [ 27.6 ms ] thread
OWASP 2019 A7: cross-site framing.
I think I'm totally fine with this. The only issue I can see is whether or not the warrants to hack these servers are justified. Warrants should be issued when there's good reason to suspect criminal activity, and if they're issued to search obviously innocent people then that's wrong, just like all other warranted searches or spying that don't involve computers or hacking.
The reason why drive by attacks are so effective is that often you don't even have to visit the site intentionally. One "trusted" site with some malware can be used to attack people that never actually intentionally visit it, whether be by normal content syndication or by the same attackers using exploits in other sites (content injection) or spamming links, embedding HTML content in emails etc.

What also is important to note that drive by attacks in most cases exploit browser vulnerabilities unless the FBI is really stooping so low to basically run "download codec" or "update flash player" type of phishing attacks that actually depend on the user downloading and running an executable they'll also have to maintain a large enough repository of zero day attacks that target browsers.

Now the problem with "cyber warfare" is that it's basically return to the old days of throwing rocks, one of the reasons we've switched from rocks to bullets is not only because bullets are more effective but because the enemy can't pick up a bullet and shoot it back at you.

When you distribute malware to attack your targets you giving them a rock that can be just as easily turned on you or anyone else, and considering that at least some substantial portion of their intended targets are individuals with sufficient knowledge in computer security to be able to pick up that rock you are now having the FBI handing out zero days to criminals.

> One "trusted" site with some malware can be used to attack people that never actually intentionally visit it

The only thing that bothers me about this is that someone could deliberately embed an iframe of the bugged website similar to a SWATTING attack. So far that doesn't seem to be happening though?

It does, or did, browsers are better protected against iframe injection and various click jacking attacks but it still can happen.

If the FBI has a zero day that doesn't need anything but the content being loaded by the browser to execute code on the target you can easily spread it to anyone you like via content injection, email phishing, old school simply via social media "hey look at this http://goo.gl/P!shing"...

Also since many zero days affect things like flash or the rendering engine it self and thus could be simply exploited via images or any other embedded object you could even do it easier by simply adding that png or webm with the exploit to every forum, blog post, tweet etc.

The FBI "Could" be in my computer? Imagine that world, one where the man "might" be spying on you.
To be clear, "The Man" in this case means software.
My coronation day as king of United States will be when they investigate me.

On that day, the CIA will be my bitch, Intel will be my bitch and Microsoft will be my bitch.

God says... pox prophylactic's monsignori blah's rebellious grieving hatred loxes gemstone convention's Joyce beanbags quantify barricaded balls Nickelodeon Republicans snoop nationality's Sadie's next Bekesy reading backbone Rosalind's headdress monopolistic adoptions agglomeration's Muslim providence Saran's